Lessons Learned from the VPNFilter Malware Attacks — Router Security

On May 25th of this year, the FBI urged people to reboot their routers. The reason behind this alert was a malware cyber attack that is currently compromising older-model home and office routers. Estimates indicate that over one million routers have been infected with VPNFilter malware worldwide since its first appearance two years ago. One of the results of this outbreak is a global botnet under the control of the Sofacy Group. This group is believed to have perpetrated the successful attack on the Democratic National Convention and evidence suggests they have strong ties to Russian military intelligence.

It is important to realize that the VPNFilter malware is not your typical infection. It can specifically target network traffic that contains sensitive data, harvest that data, and then manipulate traffic and incoming data to successfully cover its tracks. VPNFilter is a serious cybersecurity threat that requires prompt and effective attention.

The VPNFilter Malware Attacks

The VPNFilter malware was first detected in 2016. Since then, it has successfully infected nearly a million routers in 54 different countries. Its preferred target is older routers with security vulnerabilities. These routers include those that are manufactured by well-known companies such as Linksys, MikroTik, ASUS, Netgear, D-Link, QNAP, ZTE, and TP-Link. Though the malware’s primary target has been older routers, it can also infect network access storage devices (known as NAS), which are comprised of several hard drives and are primarily used to store data for access by multiple users.

VPNFilter malware causes a multistage infection. The initial infection is called a “stage-one infection” and can be virtually impossible to detect, which makes its threat all the more critical. This stage does not involve any malicious actions on behalf of the malware, but it sets the system up for the next stage.

Once VPNFilter malware reaches stage two of the infection, it can begin to collect private information, disable the device, block web traffic, manipulate Internet traffic, destroy the router’s functionality, and use the device as a launching point for further malicious attacks. Despite the massive range of damage it can cause, the malware remains difficult to detect.

The VPNFilter malware can target traffic that contains sensitive information, such as banking data, including login details and account information. That intercepted data can then be sent back to the perpetrators of the malware through servers under their control. Experts report that the malware can even modify the banking data the router receives. It does this to make the data (in this case, a bank balance) look normal when in fact it has been compromised (e.g., the balance is actually being siphoned off by the hackers).

It is disconcerting to know that these hostile actors can access critical information undetected. It is even more worrisome to realize they can also can manipulate that information to hide the fact that they not only have access to it but have taken full control of it. Even more disturbing is VPNFilter’s ability also to target SCADA traffic that is used to control nuclear reactors, chemical plants, and electrical power systems. The repercussions of that kind of undetected access and control are almost unimaginable and could involve significant loss of life.

As mentioned earlier, the VPNFilter malware can cover its tracks to the point that the even the most technologically savvy user may not realize the malware has compromised the router. Routers can progress past a stage-one infection and reach a stage-two infection and remain completely undetected. Since the malware is concealed so well, the infection can stay in place much longer, resulting in exponentially worse damage the longer it hides.

FBI warnings are encouraging people to reboot their routers, but the VPNFilter malware can still infect the router even after it has been rebooted (and VPNFilter is one of few malwares that can survive a reboot). Tracking the malware to its source has been a major challenge because of its use of misattributable networks and encryption. VPNFilter can be remotely updated, too. There is not a simple fix for eliminating it once it has infected a device, even if it is only a stage-one infection. To make matters worse, it is almost impossible for a user to tell if their router is infected. The safest route is to assume that older routers manufactured by the brands listed above are in fact infected.

Who Is Behind the VPNFilter Malware

VPNFilter is a highly sophisticated and well-designed malware so complex that experts are convinced it must be the work of a government power rather than a small group of coders. Evidence suggests that its source is in Russia. There is a line of code in VPNFilter that matches a line of code in the BlackEnergy malware. BlackEnergy was used in December 2015 in an attack against the Ukrainian power grid, an attack that Russia is believed to have perpetrated. The fact that most of the VPNFilter infections since 2016 have been in the Ukraine and those infections are tied to a different command-and-control server further supports the suspicion that Russia is behind the VPNFilter outbreak.

The US Justice Department believes they have tracked down the perpetrator of the malware: the Sofacy Group (aka A.P.T. 28, Fancy Bear, and STRONTIUM, among other names), a powerful and effective cyber espionage group believed to be associated with a Russian military intelligence agency. The Sofacy Group is the same group believed to have been directed by the Russian government to hack the Democratic National Committee before the 2016 election. Other targets of the Sofacy Group have included NATO, Emmanuel Macron’s campaign, the White House, and the German parliament. This group is well known for targeting security organizations, governments, militaries, and journalists.

Counter Measures

Cisco and Symantec have been working together with the FBI to track the malware for at least two years. While the infection mechanism itself remains unknown, investigators have determined the main victim of VPNMalware is older routers. Not many people patch their routers, making those unpatched devices extremely susceptible to cyber attacks.

On May 30th, the FBI took control of the domain toknowall.com, which turned out to be a VPNFilter command-and-control center. This type of action is referred to as “sinkholing” and is used to temporarily disrupt the malware’s system.

When an infected router is rebooted, the second stage of the malware infection is eliminated, but the first stage remains. Immediately after a restart, the first stage of the infection contacts the command-and-control server at the domain toknowall.com for further instructions. Now that the FBI has control of that domain, the malware is contacting the FBI instead of the malware’s server.

The FBI-controlled server will capture the IP address of the infected router. The Shadowserver Foundation is a non-profit partner organization that is assisting the FBI by disseminating the IP addresses of the infected routers to those who can help, namely ISPs and foreign CERTs.

The FBI’s primary goal with this course of action is to minimize the subsequent disruption caused by VPNFilter. Sadly, this does not fix the problem for infected routers. The malware still remains after a reboot, and soon a new command-and-control server could gain control, the infected devices find themselves being remotely updated to access the new server, and the cycle continues.

What Should I Do?

The first step to addressing this problem is to recognize that merely rebooting an infected router does not solve the problem. Restarting temporarily stops a stage-two infection, but the stage-one infection remains, and thus the router remains infected. As soon as an infected router is rebooted, the stage-one infection reaches out to the command-and-control server. For now, that server is under FBI control, but that can change, and the infection could once again reach stage two. The only thing that rebooting a router does is help the FBI keep track of how many routers have been compromised (as the stage-one infected routers try to make contact with the command-and-control server) and slow down the progression of the infection until a new command-and-control server has been set up by the Sofacy Group.

For a more proactive approach, here is what should be done:

Reboot the router by unplugging it from the power supply for 30 seconds, then plugging it back in.

Reset the router to factory settings. Instructions on how to accomplish this will be in the router’s manual or on the manufacturer’s website, and will usually involve a microswitch within a recessed hole that will require something like a paperclip to access.

Reconfigure the network. This may be challenging on older models, but newer models have significantly simplified this process.

Update the firmware with patches from the manufacturer (another step that can be challenging for older models).
Some older routers may no longer have patches available, and if that is the case, then it is time to replace the router with a new, more secure model. In fact, any router that is more than ten years old should be replaced with an updated router that is less vulnerable to attack.

There are some benefits to using a newer router, such as enabling faster Wi-Fi speeds. Modern routers are also better at eliminating dead zones and are usually far easier to set up and configure than older models. Some newer routers support blocking of sites, which can be useful for parents trying to limit what their children can access through their home internet. Most importantly, however, is the improved security offered by modern routers, some of which come with their own anti-virus software.

There are some other steps you can take to protect your router. Make sure the default username and password for the device is immediately changed to something unique. Do not leave remote administration enabled, because it is just too easy for even low-level hackers to exploit. Also, do not allow internal devices to access the Internet without having a firewall in place.

Lessons Learned

Let’s review the lessons we can take away from this attack. First, updating your router can do much more than improve your Internet speed. It ensures your system is less vulnerable to attacks. Though the infection mechanism for VPNFilter remains unknown, it is established that it typically victimizes older routers.

Next, rebooting is not a quick fix for a VPNFilter infection. It helps the FBI track the number of infections and can reset a stage-two infection to a stage one, but that is all that it does. Since the target is older routers, it really is not worthwhile to try to update the firmware on an old router and reconfigure the network. The smarter, long-term solution is to replace old routers with newer models. Once you have a new router, check regularly for firmware updates and install them as soon as possible.

Protect Yourself Against Cybersecurity Threats

The VPNFilter is a severe cybersecurity threat that is both complex and sophisticated. It is an excellent example of how dangerous malware and viruses are becoming. This spate of attacks also indicates that it’s not just large corporations or governments that can be impacted; small business owners and everyday people can be compromised as well. As tools and defenses are developed to prevent one type of attack, groups are always discovering new ways to exploit system vulnerabilities and design new attacks. That is why there is no one-time fix to solve all your system’s weaknesses. Whether you are an IT professional or a small business owner, you owe it to yourself to make sure your data and your customers’ data is as secure as possible.